Half of All Phishing Sites Now Have the Padlock

On the bright side, at least your data won't get stolen by a fourth party while it's being stolen by a third party.

The many mobile browsers which hide the address bar are training people to ignore website urls.<p>Sites who use lots of nonsensical malware-ish url redirects (Google, Microsoft are guilty) train people to accept random urls.<p>I guess the chief culprits are email tracking links. Everyone including banks use them. Often tracking domains have nothing in common with the destination URL. This teaches people to disable or ignore email provider warnings and click any link in official sounding emails.

Users are not discerning enough to look for the padlock; they&#x27;ll get taken either way. They are not the problem here.<p>The bigger problem with this is that the paths being requested can&#x27;t be monitored by intermediary devices unless you&#x27;re MITMing all outbound traffic.<p>It becomes impossible to tell whether a domain is simply cybersquatting or if they&#x27;re up to something more sinister. &#x27;&#x2F;&#x27; may return a parking page, &#x27;&#x2F;login&#x27; may return a phishing page, and &#x27;&#x2F;?id=c4010087800cf4e5753c80c9afbe0fe5&#x27; may be a malware callback, but as far as you can tell from your network logs all traffic to httpx:&#x2F;&#x2F;www.xn--bbox-vw5a.com is simply requesting &#x27;&#x2F;&#x27;.

Only half? I&#x27;d expected them to nearly all use ssl by now. C&#x27;mon, phishers, it&#x27;s free! ;-)

The cycle continues and will continue to cycle. The only proper browsing hygiene takes place between the chair and keyboard, or touch screen. Sadly, it won&#x27;t change. Humans are humans.

Well yes (that it’s only 50% is surprising), but realistically the presence&#x2F;absence of a padlock is a terrible security indicator. Long term I would hope it goes away and you get an “insecure” UI only.

Noob question, if a.com gets a certificate, then b.a.com can use the same cert, right? As in the example of the fb impostor in 000webhost.<p>So, in that same vein, can a TLD get a certificate? For example, com gets a certificate, so now anything.com has a valid certificate. Also, can I issue a cert specifically for d.c.b.a.com?

I thought this was the point of EV certs.

I remember that people were warned to avoid doing sensitive stuff on websites without the padlock. I don&#x27;t remember any attempt to suggest that the padlock implied some sort of validity.

There is something disingenuous and false about those who have been pushing ssl &#x27;vehemently&#x27; on the pretext of concern end user privacy and surveillance.<p>It would be slightly more credible if the response by the tech community both in comment and action to Snowden and Assange&#x27;s revelations and invasive surveillance by Google, Facebook and others was not so embarrassing in inaction.<p>One can argue of degrees and doing both, but in this case it seems all the &#x27;concern&#x27; gets expended in ssl leaving no energy for the far more pervasive SV surveillance culture the tech community props up without protest or even leaks.

I&#x27;d be curious to know how many phishing sites support 2fa, i.e. can also phish time-based codes. If anyone from PhishLabs is reading... :)<p>Edit: grammar

Padlock? I thought it was a handbag.

TL;DR: &quot;Padlock&quot; means the usual icon promising the site has a valid TLS cert.<p>But well worth skimming through for the excellent Firefox about.config tweak &quot;network.IDN_show_punycode&quot;.

Great so every 3 months when I have to manually renew all the LetsEncrypt certs I manage for clients I know it&#x27;s giving them zero protection. Kinda reminds me of the British Government&#x27;s decision to insert road humps into all the roads in the towns and cities of the land just to deter speeding drivers. All it produced was more work for garages mending damaged exhaust pipes.